From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Friedrich Weber <f.weber@proxmox.com>,
Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH guest-common v2 1/6] guest helpers: add helper to overrule active tasks of a specific type
Date: Sat, 6 Apr 2024 10:37:19 +0200 [thread overview]
Message-ID: <8616c9a1-9e2c-4147-bd55-c4c8e8511ce4@proxmox.com> (raw)
In-Reply-To: <3106df5e-8b31-41f2-b66a-70c433faa4c1@proxmox.com>
Am 05/04/2024 um 15:13 schrieb Friedrich Weber:
> On 04/04/2024 17:20, Thomas Lamprecht wrote:
>> Or does it even make sense to check this at all?
>> As long as the user has the rights to execute a stop they probably
>> should also be able to force it at any time, even for other users?
>
> The usecase sounds reasonable, but would technically amount to a small
> privilege escalation: Currently, if user A and user B both have
> PVEVMUser and user A starts a `vzshutdown` task, user B must have
> `Sys.Modify` to kill the task.
>
Hmm, yeah, this is definitively something one could argue about as
we currently do not have much overruling functionality of tasks triggered
by other users that can manage a specific resource, but not the whole
system. So this is essential new territory w.r.t. semantics, and we can
also adapt new ones, albeit they should certainly not be completely
unexpected.
>> Maybe make this optional and only enforce it for users that do not
>> have some more powerful priv?
>
> We could introduce a similar check as for the DELETE
> /nodes/{node}/tasks/{upid} endpoint: Users can always overrule their own
> guest tasks, and with `Sys.Modify` they can overrule any guest task (for
> guests for which they have the necessary permission).
Yeah, I think that would be a safe bet for now.
> Still, right now I think the primary motivation for this overruling
> feature is to save GUI users some frustration and/or clicks. In this
> scenario, a user will overrule only their own tasks, which is possible
> with the current check. What do you think about keeping the check as it
> is for now, and making it more permissive once the need arises?
I think that allowing users that hold the respective Sys.Modify and
VM.PowerMgmt to overrule any tasks from the start wouldn't be to much
"speculative future-proofing" but rather something expected while still
safe.
FWIW, you could also drop the $authuser then and just get it from
the RPCEnv singleton available in all API call-paths and then do
the permission check in the helper directly.
This would IMO be also a bit better w.r.t. conveying why we do it this
way.
next prev parent reply other threads:[~2024-04-06 8:37 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 17:10 [pve-devel] [PATCH guest-common/container/qemu-server/manager v2 0/6] fix #4474: stop tasks may overrule shutdown tasks Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH guest-common v2 1/6] guest helpers: add helper to overrule active tasks of a specific type Friedrich Weber
2024-04-04 15:20 ` Thomas Lamprecht
2024-04-05 13:13 ` Friedrich Weber
2024-04-06 8:37 ` Thomas Lamprecht [this message]
2024-04-08 8:38 ` Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH container v2 2/6] api: status: move config locking from API handler into worker Friedrich Weber
2024-04-04 15:26 ` [pve-devel] applied: " Thomas Lamprecht
2024-04-05 13:16 ` Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH container v2 3/6] fix #4474: lxc api: add overrule-shutdown parameter to stop endpoint Friedrich Weber
2024-04-06 15:07 ` Thomas Lamprecht
2024-04-08 8:59 ` Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH qemu-server v2 4/6] fix #4474: qemu " Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH manager v2 5/6] ui: fix typo to make pve-cluster-tasks store globally available Friedrich Weber
2024-01-30 17:10 ` [pve-devel] [PATCH manager v2 6/6] fix #4474: ui: guest stop: offer to overrule active shutdown tasks Friedrich Weber
2024-04-03 6:55 ` [pve-devel] [PATCH guest-common/container/qemu-server/manager v2 0/6] fix #4474: stop tasks may overrule " Friedrich Weber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8616c9a1-9e2c-4147-bd55-c4c8e8511ce4@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=f.weber@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox